P
Help Centre

GDPR & Data Compliance

Last updated March 2026

Porter is designed with privacy and data protection at its core. This guide explains how Porter handles visitor data, your configuration options for compliance, and how to respond to data subject requests.

How Porter Handles Visitor Data

Porter takes data security seriously. All visitor data is protected using industry-leading encryption and security practices.

Encryption

  • At rest: All data is encrypted using AES-256 encryption
  • In transit: All connections use TLS 1.3 for secure data transmission
  • Database backups are also encrypted

Hosting and Infrastructure

  • Default hosting on secure cloud infrastructure with SOC 2 Type II compliance
  • EU hosting option: choose to have all data hosted exclusively on EU servers
  • Regular penetration testing and security audits
Security overview showing encryption and hosting details

Data Processing Agreement

A Data Processing Agreement (DPA) is available for all customers. The DPA outlines how Porter processes personal data on your behalf, in compliance with GDPR Article 28. Contact your account manager or email [email protected] to request a signed DPA.

Data Retention Settings

Porter lets you configure how long visitor records are kept before they are automatically deleted. This helps you comply with the GDPR principle of storage limitation.

Configuring Retention Period

  • Navigate to Settings > Privacy > Data Retention
  • Choose from preset periods: 30, 60, 90, 180, or 365 days
  • Or enter a custom retention period in days
  • Click "Save" to apply
Data retention settings with dropdown for retention period

Automatic Deletion

  • Visitor records older than the retention period are automatically deleted
  • Deletion runs daily and is irreversible
  • Deleted data includes: visitor name, photo, company, visit records, and signed documents
  • Aggregate analytics data (visitor counts, trends) is retained separately and is not personally identifiable

Right to Erasure

Under GDPR Article 17, individuals have the right to request deletion of their personal data. Porter makes it easy to fulfil these requests.

Deleting a Visitor's Data

  • Go to Settings > Privacy > Right to Erasure
  • Search for the individual by name or email address
  • Review the records found and click "Delete All Records"
  • Confirm the deletion — this action is permanent and irreversible
Right to erasure search and delete interface

Audit Log for Erasure

Every erasure event is recorded in the audit trail. The log records that a deletion took place, when it occurred, and who performed it — but it does not retain any of the deleted personal data. This allows you to demonstrate compliance without compromising the deletion.

Data Export (Subject Access Requests)

Under GDPR Article 15, individuals can request a copy of all personal data you hold about them. Porter provides a built-in tool to generate these exports.

Generating a Data Export

  • Navigate to Settings > Privacy > Data Export
  • Search for the individual by name or email
  • Click "Generate Export"
  • A downloadable ZIP file is created containing all data for that individual
Data export tool generating a ZIP file for a subject access request

What the Export Includes

  • All visit records (date, time, location, host)
  • Photos captured during check-in
  • Signed documents (NDAs, agreements)
  • Pre-registration details
  • Any custom field data collected during check-in

The export is generated in a machine-readable format (JSON) alongside human-readable summaries (PDF), making it suitable for both technical and non-technical recipients.

Audit Trails

Porter maintains a comprehensive audit trail of all actions taken within the system. This is essential for demonstrating compliance during audits and investigations.

What Is Logged

  • Visitor check-ins and check-outs
  • Data deletions (right to erasure requests)
  • Setting changes (retention period, kiosk configuration, etc.)
  • API access (which key was used, what endpoint was called)
  • Team member actions (invitations, role changes, removals)
  • Evacuation mode activations and deactivations
Audit trail log showing a list of actions with timestamps

Audit Log Retention

  • Audit logs are retained for a minimum of 2 years
  • Audit log retention is separate from visitor data retention
  • Logs do not contain personal visitor data — only references and action metadata

Exporting Audit Logs

Export audit logs from Settings > Audit Trail > Export. Choose a date range and export as CSV or PDF. This is useful for compliance reviews, internal audits, and responding to regulatory requests.

Audit trail export dialog with date range selector
Was this article helpful?

Related Articles

Billing & Subscription Analytics & Reports